Search form

menu-bar

Flame Malware and SCADA Security: What are the Impacts?

Submitted by Eric Byres on Tue, 2012-05-29 21:00

Over the weekend a new super worm exploded onto the cyber security landscape. Known as Flame or sKyWIper, it appears to be targeting sites in the Middle East, just like the Stuxnet and Duqu worms did. But what does it have to do with SCADA or ICS security? At this stage the answer appears to be nothing and…everything.

Is it Worm? Is it a RAT1? No, it’s Super Malware!

Let’s start with what Flame is. Rather than just being a typical worm, Flame appears to be a carefully crafted attack toolkit for industrial or political espionage. According to Aleks at Kaspersky Labs“it is a lot more complex than Duqu. It is a backdoor, a Trojan, and it has worm-like features, allowing it to replicate in a local network and on removable media if it is commanded so by its master.”

Now the first unusual thing about Flame is that it is massive. While the typical worm is 50 Kbytes in size, Flame weighs in at 20 Mbytes, nearly 400 times larger.

The reason for this large size is that Flame is a multi-functional toolkit for information stealing, completely reconfigurable by its masters for new tasks. According to the crysys report on sKyWIper (aka Flame):

sKyWIper has very advanced functionality to steal information and to propagate. Multiple exploits and propagation methods can be freely configured by the attackers. Information gathering from a large network of infected computers was never crafted as carefully as in sKyWIper. The malware is most likely capable to use all of the computers’ functionalities for its goals. It covers all major possibilities to gather intelligence, including keyboard, screen, microphone, storage devices, network, wifi, Bluetooth, USB and system processes.

Flame is a Swiss Army Knife of malware in the sense that it can intercept everything imaginable, but it is not a pile of existing malware code thrown together. It is very cleverly crafted. Like Stuxnet, it has multiple propagation vectors – USB keys, printer sharing, and domain controller rights to name a few.

Its modular architecture allows its creators to massively change functionality and behavior at any time. It also allows its operators to use a sophisticated scripting language called Lua to manage its activities. Plus its code injection techniques are pretty amazing. (If you want to learn more, check out the references at the bottom of this blog).

Who Created Flame?

Flame is no script kiddy project. It is probably not even an organized crime project. All reports from the anti-virus companies analyzing Flame indicate that it was created by a well funded professional team of developers. As Kaspersky Labs put it:

“…the geography of the targets (certain states are in the Middle East) and also the complexity of the threat leaves no doubt about it being a nation state that sponsored the research that went into it.”

What does Flame have to do with SCADA and ICS Security?

On the surface, very little. As currently configured, Flame is clearly an information stealer. There is no evidence that it has SCADA or ICS related modules installed at this time.

That said, Symantec and others report that Flame appears to be the same worm that the Iranian Oil Ministry reported was impacting its facilities at the Kharg Island terminal last month. Iran’s National CERT (MAHER) is also now reporting on the existence of this worm inside Iran.

So what does all this mean to the average control engineer? The good news is that like Stuxnet, Flame appears to be highly targeted. Like Duqu, it steals information rather than destroying equipment. But the bad news is that this worm clearly indicates that industry, especially the energy industry, is now a key target in a rapidly growing world of sophisticated, government sponsored malware.

Call it “cyber warfare” or “cyber hype”, the bottom line is that the information / networked world is getting nastier by the day and SCADA and ICS is part of that world.

What are your thoughts on this latest super worm? Does its discovery impact your security strategy?

Comments

The small, yet growing, world of sophisticated malware such as the new Flame "worm" with multiple proagation methods illustrates the futility of protecting computer systems. No amount of "air gap" can give you assurance of a clean system. This leads to the inevitability of a compromise to your system resulting in a loss or data or, worse yet, a DoS. The futility of preventing infections places a greater emphasis on contingency planning and disaster recovery (CM/DR). We are increasingly in a CM/DR world. Get ready, it just isn't your turn...yet.

Interestedly, at the same event there was an excellent talk from Dr. Paul Dorey called "Advanced Persistent Threats - A Real Problem with Real Solutions". While this talk was focused on security in the IT portion of the industry, I think there were lots of lessons on managing worms with multiple propagation methods in the ICS/SCADA world. I plan to blog on that in the next few weeks, provided that new developments with Flame doesn't use up all my blog space. Stay tuned.

I agree that we can gain much from the IT model of APT management and we first need to reevaluate the bastion model and air gaps as solutions for ICS/SCADA. I will look for a transcript of Dr. Dorey's talk. I will watch you blog as well.

Instead of waiting for things to get further out of hand (spiral of states engaging in maliciuos cyber activities (MLA) directed at the critical infrastructure of other states) some effort must be taken to try to "manage" this escalation. Discussed at international fora should be: pledge to restrain from such activities, states to accept responsibility for detected MLA originating or transiting through their "cyberspace jurisdictions" and 3 support creating of a williing group of institutions, experts, Governments to monitor, analyze and report of violations of these pledges.

Cyber Espionage in Middle East countries were much affected with this malware. It did not even spare governmental organizations. You have shared some new information regarding it that I did not know. What is the present situation?